... I : //y -75- 

NASA Technical Memorandum 1Q6199 _/"?& 

0 - /f 


Achievements and Challenges of Space Station 
Freedom's Safety Review Process 


David W. Robinson 


Lewis Research Center 


Cleveland, Ohio 

■ -■ 

N94-10640 

(NASA— TM— 106199) ACHIEVEMENTS AND 
CHALLENGES OF SPACE STATION 
FREEDOM'S SAFETY REVIEW PROCESS 






(NASA) 17 p 

Unc 1 as 


G3/15 0175556 


Prepared for the — 

11th International System Safety Conference 
sponsored by the System Safety Society 
Cincinnati, Ohio, July 28-August 2, 1993 



ACHIEVEMENTS AND CHALLENGES OF SPACE STATION FREEDOM’S 

SAFETY REVIEW PROCESS 


David W. Robinson 

National Aeronautics and Space Administration 
Lewis Research Center 
Cleveland, Ohio 44135 


SUMMARY 


The roost complex space vehicle in history. Space Station Freedom, is well underway 
to completion, and System Safety is a vital part of the program. The purpose of this 
paper is to summarize and illustrate the progress that over one-hundred System 
Safety engineers have made in identifying, documenting, and controlling the hazards 
inherent in the space station. To date. Space Station Freedom has been reviewed by 
NASA's safety panels through the first six assembly flights, when Freedom achieves a 
configuration known as Man Tended Capability. During the eight weeks of safety 
reviews spread out over a year and a half, over 200 preliminary hazard reports were 
presented. Along the way NASA and its contractors faced many challenges, made 
much progress, and even learned a few lessons. 


INTRODUCTION TO SPACE STATION FREEDOM 

Space Station Freedom is a complex vehicle, and some would say it is an even 
more complex program. Figure 1 shows the baseline configuration as of May 1993, 
and Figure 2 provides some key space station performance details. Since Freedom 
will be the largest space vehicle ever created, the work has been split up among 
several NASA centers in discrete "Work Packages" which are detailed in Figure 3. 

The first of Freedom's 17 assembly flights is scheduled for 1996 and the last is 
planned for the year 2000. After completion, four astronauts will live there on 90-day 
rotational assignments performing life science and materials processing experiments 
in microgravity. 

Freedom is a self-contained world orbiting around the earth that must supply 
all the needs for its crew including air, water, food, electricity, and climate control, 
just to name a few. Because evacuation of the space station in case of a fire, system 
loss, or mishap is expensive and risky. Freedom must have an extremely robust and 
failure tolerant design yet be simple enough that a crew of four can operate and 
maintain it. 

The space station has something of interest for every kind of System Safety 
engineer. Freedom presents hazards one might expect in an earth-bound industrial 
facility, and more. Space station hazards that would be familiar to every System 
Safety engineer include fire, electric shock, and pressure vessel rupture. Many 
hazards, however, sound like something out of a Buck Rogers episode. Impacts by 
orbital debris, atomic oxygen corrosion, loss of reboost capability, and electrical 
arcing between station and the plasma environment of low earth orbit all could cause 


a catastrophic loss. These are the most worrisome hazards since NASA has little or 
no prior experience with them. 


NASA's SAFETY REVIEW PROCESS AND ITS OBJECTIVES 

The objective of NASA's System Safety effort is to prevent injury or death to 
personnel and major system loss. The primary means to accomplish this objective is 
to characterize and document all hazards for NASA management so that they are 
cognizant of all risks. NASA program management has die authority to either 
eliminate, mitigate, or accept these risks. In keeping with this policy, all aspects of 
Space Station Freedom are being thoroughly reviewed by NASA for hazards to 
ground processing facilities, the crew, the space shuttle, and the station itself. All 
HRs must be approved and closed out by the program manager before the space 
station is launched. 

The system safety process used by NASA in the manned spaceflight world is 
similar to the MIL-S 1 D-882 approach — with a few modifications. Hazard analyses are 
performed to identify alL hazard causes and controls, and a Hazard Report (HR) is 
written to document each hazardous condition. Depending on the type of hazard, 
engineers from the responsible prime contractor will present each HR to as many as 
three different NASA safety review panels. HRs are reviewed by the panels at 
several points during the design and development of the space station as shown 
below: 

PHASE TIMEFRAME HR MATURITY 

Phase 1 PDR (Prelim Design Review) Hazard Causes/ Controls identified 

Phase 2 CDR (Critical Design Review) Control verifications established 

Phase 3 DCR (Design Certification) Control verifications closed out 

By signing off on these HRs at the Phase 3 safety reviews, NASA program 
management formally accepts the risk imposed by each hazard. 

NASA's three safety panels consist of the Ground Safety Review Panel (GSRP), 
the Shuttle Payload Safety Review Panel (PSRP) and the Freedom Safety Review 
Panel (FSRP). The GSRP is composed of Kennedy Space Center engineers who assess 
compliance with Kennedy Space Center's ground processing safety requirements 
document KHB 1700.7B and the risk posed by the payload to the facilities and 
personnel. The PSRP is composed of Johnson Space Center engineers who assess 
compliance with the shuttle payload safety requirements of NSTS 1700.7B and the 
risk posed by the payload to the Space Shuttle and astronauts. Providing substantial 
credibility and depth to the PSRP, a small army of experts supports the panel in 
various fields such as flammability, fracture mechanics, and toxicity. The FSRP is 
composed primarily of System Safety managers from the NASA centers working on 
Freedom who review hazards causing crewmember injury or loss /damage to the 
space station. In contrast to the PSRP and GSRP, the FSRP cannot accept risk, and 


2 




acts as an independent oversight committee making risk recommendations to space 
station program management. 


SPACE STATION FREEDOM SAFETY REVIEWS 

Between September 16, 1991 and January 28, 1993, the PSRP and FSRP jointly 
held a total of eight safety reviews, each lasting an average of a week. The first 
meeting in September of 1991 was labelled a "Pathfinder. Its purpose was to 
convene the FSRP for the first time and establish rules, meeting protocol, and safety 
philosophy. Both the PSRP and FSRP were also given presentations of the 
preliminary design of Freedom. At the Pathfinder an extraordinary number of 
System Safety engineers were present from various NASA centers and numerous 
aerospace corporations from around the country. Since every center and company 
brought its own "safety culture" to the meeting, extensive safety philosophy 
discussions were needed to gain consensus from this diverse group on the process 
and procedures for the upcoming series of Freedom safety reviews. 

Over the following sixteen months. Space Station Freedom was reviewed 
through the Man Tended Capability configuration, or first six assembly flights. All 
aspects of Freedom (except ground processing) were covered, including launch, on- 
orbit payload deployment, assembly by spacewalking astronauts, system startup, and 
nominal operation. 210 HRs were presented to the panels, and 188 were signed by 
them. Signature at Phase 1 indicates that the panels believe hazard causes are 
properly identified and the controls are adequate. Figure 4 shows the detailed 
breakdown of HRs signed and submitted per flight and Work Package. 

The HRs that were not signed were unacceptable to the panels for a variety of 
reasons. A few of the HRs documented procedures or designs which violated safety 
requirements. Other HRs were simply incomplete or vague. For example, one 
unsigned HR described the structural failure of an appendage, but after extensive 
questioning the PSRP determined that not all the failure modes were accounted for. 
Therefore, the HR was not sufficiently developed to the Phase 1 level. The Work 
Package revised the HR and returned at a subsequent review for concurrence. 

To resolve issues or discrepancies unearthed in the reviews, the panels 
assigned action items to the appropriate Work Package. Responses to these action 
items were presented at subsequent reviews and closed out if deemed acceptable by 
the panels. A typical action item levied on a Work Package was to determine if a 
particular subcontractor's honeycomb panel adhesive bonding process specification 
was adequate and to report the findings at the next safety review. Figure 4 details 
the number of action items assigned per Work Package at the reviews. As a rough 
indicator of the quality of the review, more thorough presentations received fewer 
action items. 

The safety reviews prompted the program to eliminate many hazards. In 
many instances the safety reviews served as the forum for management to see the 
whole scope of a hazard for the first time. Increased management appreciation of the 


3 


total risk of a hazard sometimes resulted in design or procedural modifications to 
mitigate or reduce those risks. A typical example of a hazard eliminated as a result 
of the safety review process was the elimination of sharp edges on the radiant heat 
fins of some electronic boxes. Since sharp edges could puncture the space suit, they 
are a potentially catastrophic hazard to the astronaut during an extra-vehicular 
activity. The simple solution was to round the sharp edges into a benign shape. 
Indeed, this was a design requirement, but in this application it was either not fully 
understood or deemed inconvenient by the designers. However, with the penetrating 
spotlight of the PSRP on the problem, it was not too long before a design change was 
implemented. 

Another more complex design change involved upgrading the thermal control 
system from zero to single failure tolerance. The electrical power system has its own 
thermal control system consisting of ammonia coolant loops throughout the structure 
which pick up heat from the electronics and reject it into space at the radiator. In a 
previous weight scrub exercise, the redundant ammonia coolant loops for the thermal 
control system were merged into one loop. A single impact from a chunk of orbital 
debris, although unlikely, could have penetrated this loop and caused the loss of all 
the coolant, in turn reducing the electrical power output from 18.75 kilowatts to 
nearly zero on the early flights— a catastrophic hazard. This risk had previously been 
accepted by NASA program management, but after the attention it received during 
the safety reviews, NASA reconsidered the risk and approved the design change back 
to two independent coolant loops. 

Many more examples of eliminated or controlled hazards exist, but the public 
probably will never hear about those successes because controlled hazards do not 
make newspaper headlines. That is the bittersweet nature of System Safety— its 
effectiveness is often intangible and only measured by degrees of failure. When 
Safety is successful, mishaps are prevented, but when Safety is unsuccessful, tragic 
loss occurs and everyone leams-too late-that the system was not safe enough. 

The safety reviews provided a valuable benefit to Freedom's System Safety 
engineers as well. By having a credible and highly visible forum to air the risk 
inherent in space station. System Safety moved higher in the esteem of the design 
community. Whereas previous system safety efforts and opinions were viewed by 
many as a nuisance, after the safety reviews System Safety began receiving more calls 
from various design groups to interact with them on design decisions. Management 
began soliciting Safety's opinions more often, and as a result more favorable risk 
decisions were made by the program. NASA benefitted immensely by having risk 
documented and presented in an impartial manner so that decisions could be made 
with full awareness of how the outcome would affect overall station safety. 


CHALLENGES AND ACHIEVEMENTS 
Streamlining the Safety Review Process 


4 


The task of successfully completing the safety reviews was not easy for NASA 
and its contractors. Many challenges and obstacles had to be met and overcome. 
Perhaps the greatest challenge was to present the ocean of information about 
Freedom to the panels in the time allowed. Approximately 10,000 pages of data were 
sent to the PSRP and FSRP. Contributing to the flood of data are the many different 
safety perspectives that NASA must consider. For example. Space Station Freedom is 
at times a payload processed at Kennedy Space Center, a payload in the Shuttle, a 
cargo element which must be attended to by spacewalking astronauts during 
assembly operations, and a free-flying autonomous space vehicle required to survive 
30 years in low earth orbit. Nothing in the history of spaceflight has had as many 
interfaces, contractors, facilities, and operations involved. __ . 

To minimize the time required to complete a safety review, the Work Packages 
learned to give more efficient safety presentations. Early reviews tended to be filled 
with parameters and design details of interest to the designers (cost, weight, and 
performance trade studies) but of limited interest to the safety panels. As the 
reviews progressed, the presenters became better able to focus on the safety-related 
aspects of designs such as hazard causes and controls. Progress was measurable: the 
first safety review (MB-01) required about eight days to complete and only 20 HRs 
were submitted, while the last safety review (MB-06) was completed m five days and 
56 HRs were submitted. Assuming each review was equally adequate, this 
represents an increase in meeting efficiency of 448% ! 


Coordinating multiple interfaces 

Another challenge which complicated the safety reviews was the incredible 
number of people, organizations, and interfaces involved in the Freedom program. 
Three NASA centers and several international partners are responsible for different 
pieces of station, and each attended the safety review with their own prime 
contractors and subcontractors. Representatives from other NASA committees would 
attend as well. Aside from the "people interfaces", there are a number of mechanical 
and software interfaces. For example. Work Package 2's main computer system 
partially controls Work Package l's life support system and both are supplied power 
by Work Package 4's electric power system. A failure that knocks out a power bus 
could also take down the life support system unless power is rerouted quickly by the 
main computer system. Intermingled hazards like these create considerable room for 
debate about which organization should write and present each hazard. 

To coordinate the agenda and flow of each safety review, a telephone 
conference, or "dry run," was held a few weeks before. At the dry run, the NASA 
centers attempted to set up a logical sequence of presentations and HRs. Sometimes 
interface issues, such as which center would write a hazard report on which subject, 
would be worked also. A few times small telephone conferences were held with key 
PSRP and FSRP members to brief them on upcoming high-profile safety issues. The 
dry-run and coordination meetings reduced the time spent at the safety review 


5 


working the mundane administrative issues and allowed the Work Packages to focus 

more on the technical issues and HRs. 

Another resource saving measure was minimizing the attendance at the 
reviews. Approximately one-hundred people attended the first couple of reviews, 
perhaps because of the novelty. As the reviews became more commonplace, 
attendance by non-participants slackened. Also as presenters became more familiar 
with the types of questions asked by the panels, fewer engineers were needed at the 
review to provide supporting information. One technique was to have engineers on- 
call" back at the contractor's site. Questions not answerable by those present at the 
review were phoned to those on-call, and answers could be given to the panels 
minutes later. As a result, attendance at later reviews was probably one-third that of 
the first. Also, a few times NASA saved money by flying the safety panels to a Work 
Package rather than sending the Work Package to the safety review panels. 


Reducing HR Development Time 

In the beginning, a long lead-time— 6 months not being unusual— was required 
to gather the safety data, write the hazard reports, review and revise them internally, 
and release them to the panels. Since designs sometimes changed radically in 6 
months, much effort was made to reduce the safety package preparation time to a 

more responsive 2-3 month cycle. . 

Because hazard reports are somewhat sensitive documents, initially program 
management was hesitant to air them in public without extensive coordination and 
scrutiny. Various internal "pre-review reviews" and other forums were set up among 
the Work Packages so that program management would not be surprised by the 
content of the HRs at the safety review. Over time, however. Work Package 
management became more comfortable with the safety reviews and some of the extra 
meetings were dropped. Program managers and System Safety engineers developed 
proactive lines of communication as System Safety was brought more into the 
decision making process. Many managers found that by paying attention to Safety 
early on, they had no need to set up additional "hoops" for Safety to jump through 
later. 


Reviewing Cutting Edg e Technology 

Another factor which slowed the pace of the reviews was that many of the 
space station designs and operations are on the cutting edge of technology. More 
lines of software code will be written for Freedom than for any previous space 
vehicle. More functions will be autonomously monitored, cycled, and reconfigured 
by the on-board computers without the crew in the loop. Thousands of hours of 
extra-vehicular activity will be required to assemble and maintain Freedom. Also 
several different robots will be installed on Freedom to assist with maintenance and 


6 



assembly tasks. All these represent new genres of hazards to work. Since little or no 
experience base exists to guide the safety panels on these subjects, review of these 
designs and operations proceeded slowly and cautiously. 


Safety Panels Adjusted, too 

The panels, too, had challenges to overcome. Both the PSRP and FSRP had to 
adjust to the sheer volume of data. More homework was required of members before 
a review than with other, simpler payloads. Many different requirements or 
definitions existed in the Freedom program than in other payloads, at times causing 

some confusion among panel members. 

A major adjustment had to be made in the authority traditionally granted to 
the PSRP. Usually the absolute authority in matters of Shuttle and Crew safety, the 
PSRP was confronted with a program that would not and could not always yield to 
their mandates. For all other payloads, the PSRP has "fly /no-fly" authority and 
ensures that any undue risk to the Shuttle is eliminated or shifted into the payload, 
regardless of cost and schedule. With Freedom however, a larger, holistic risk 
management approach is required. Since the Space Station Freedom program is 
every bit as important to NASA as the Space Shuttle Program, sometimes it is in the 
best interest of NASA to accept a small risk to Shuttle rather than to accept a large 
risk to Freedom. In the spirit of Station /Shuttle joint risk management, some 
longstanding payload requirements have been relaxed— although not forgotten— by the 
vigilant members of the PSRP. 

One example of a relaxed requirement pertains to electrical connectors. 

During assembly operations on Freedom, many electrical connections have to be 
made by spacewalking astronauts. According to the PSRP's NSTS 1700.7B 
requirements, three inhibits (open switches) must be in place to permit the electrical 
connection. Due to the unreasonable weight and cost increases to implement this on 
Freedom, the PSRP decided to allow a single inhibit for electrical connections, 
provided that the Work Packages prove that no arcing hazard is present should that 
inhibit fail. 


Generic Hazards 

Early on during the reviews it was noted hazards such as micrometeoroid 
impact, atomic oxygen degradation, and battery leakage were not unique to any 
particular flight or mission stage but rather recurred throughout the life of Freedom. 
After considerable debate, the panels agreed to accept "generic" hazard reports for 
these situations. Generic HRs would be presented and signed only once. For each 
subsequent flight or stage where that generic hazard was present, the FIR would be 
included in the safety data package but not presented again to the panels, greatly 
reducing the paperwork. For example, during the reviews. Work Package 4 


7 


presented 34 generic HRs to the panels versus 204 HRs that would have been 
required if each flight's hazards had to be handled individually. 


Keeping track of the paperwork 

With so many different flights, contractors, review panels, HRs, and systems to 
consider, it quickly became confusing who had presented what to whom and when. 
To alleviate the confusion, a "master matrix" was developed by the Work Packages to 
record what HR had been presented to which panel and when. Figure 5 shows an 
example of a master matrix. The idea is to simultaneously show what flight a hazard 
is present, when the HR was presented to which panel, and if the HR was generic or 
specific to a particular flight. 

In addition to matrices. Work Packages began presenting "Hazard Trees at the 
beginning of each review. Figure 6 is an example tree from Work Package 4. The 
tree illustrates the coverage of each HR and where it fits in relation to the rest of the 
HRs, much like an illustrated table of contents. Hazard trees reduced the confusion 
of where a particular hazard was documented in the HRs, and minimized questions 
from the panel members. 


CONCLUSION 

The primary achievement of the safety reviews was that for the first time in 
the Freedom program, NASA management received a comprehensive look at the 
overall risk of Space Station Freedom. Managers and engineers alike gained a greater 
appreciation of the discipline of System Safety. Safety organizations gained more 
credibility and stronger lines of communication within the design community. While 
it is difficult to measure the amount of risk eliminated as a result of these safety 
reviews, there is no question that the overall risk has been reduced. Design changes 
prompted by the reviews have eliminated several catastrophic hazards. 

The safety review process has been streamlined considerably. System Safety 
engineers and panel members are gaining proficiency in the process, and as a result, 
fewer resources are required to review more material. Several new techniques and 
tools have been developed to make the reviews more efficient such as the "generic" 
HR and the hazard tree. Fewer engineers are required to support the reviews, and 
fewer "pre-reviews" are necessary within each NASA center. 

The task of System Safety in the Space Station Freedom Program is ongoing, 
and sometimes it seems never-ending. There are at least 11 more flights to be 
reviewed at the Phase 1 level, and then all 17 flights must be reviewed again at the 
Phase 2 and Phase 3 level before Freedom is complete in 2000. With so many more 
reviews ahead, there is no doubt that further improvements will be made along the 
way. 


8 



BIOGRAPHY 


David W. Robinson 
NASA Lewis Research Center 
Mail Stop 501-4 
21000 Brookpark Rd 
Cleveland, OH 44070 USA 

David Robinson is a System Safety engineer at the Lewis Research Center. He has 
been working on the Space Station Freedom Program since receiving a B.S in 
Aerospace Engineering from the University of Virginia in 1990. 


9 




Configuration Capabilities 


Man Tended Capability Permanently Manned Capability 


1997 

2000 

Power . h . 

. _ . .. ,18.75 kW - 1 FV. module . 

,, 56.25 kW - 3 PV modJes 

Module length 

27 ft. - 1 microgravtty lab 

27 ft. - 1 lab. 1 hab 

US. lab user rocks (ISPRs) 

- 12 

3 ^ 12 33 3 7 . 

User research power 

11 kW 

30 kW 

Logistic rrxxJuie capacity 

; MPLM-Sracks 33;. 3,3" ' 

3 * PLM - 20 nocks : ’ ' : 

Command uplink 

70 kbps 

70 kbps 

Datadownlnk, w 

. : v . 43Mbps 33 _ \ 

3 V . . 43 Mbps _ 

Gravity level 

.. .. ^0 

1 H9 

Attached payfood occoavTKXkitions 

- . 2 ports . r PZ'P. 

3:3.. 4 ports 

U.S. assembly and logistics flights 

6 

17 

Permanent crew sfee 

3: : 3^'3/33i33 o ' ; 

3 4 expandable to 8 _ 3 ; 3 3 Z 

Dedicated crew for research 

4 (while on station) 

2 (continuous) 

■UHbatlon «ghts'(MTC to PMC) 'Pp 

•• . ;; \:\p'rp-z p~ 

;3331 : 3 

Truss 

4 segments built and checked out on ground 7 segments built and checked out on ground 

'^Length {total) T~1 . '333 .;33;3: 

££r. .Av ; * 

♦ v '- l-“- ; 353 -sV ' ->* 

Pressurized resource nodes 

1 

2 

International hardware: Canada 

Mobte Servicing System (simpWed) 3"3* 

Mobte Servicing System ~ .3 3.1 . 

Japan 

none 

JEM - 10 ISPRs 

Europe 3.. 

333 3 . 33 ' 33 '.3. v '* f. 3 • 

3 £3 APM- 20 ISPRs V ; 3 33 33 3 

Life Support 

Shuttle supported 

regenerative water loop 

Propufcion . ; 333-3" 

r ; 2 downsized modules ... „ . . 

33 4 4 modules 3- 33. v 

Pressurized docking adapter 

1 

2 

AMOC* ' 3—3 .;3.3':3333 



Assured Crew Return Vehicle 

0- use Shuttle 

1 


Figure 2. 


11 




12 









Space Station Freedom 
Safety Review Statistics 


Assembly Flights 1-6 



WP-01 


WP-02 


WP-04 


CSA 


OTHERS 

TOTALS 

FLIGHT HR* si g T,ed/ | 

XTinvfRlTD presented 

AIs 

HRs signed/] 
presented 1 

AIs 

HRs signed/] 
presented 1 

AIs 

HRs signed/] 
presented 

AIs 

HRs signed/ 
presented 1 

AIs 

HRs signed/ 
presented 1 AIs 

UIT1 

MB-01 

— r 

0/0 i 

i 

0 

li/ii i 

29 

9/9 I 
1 

5 

0/0 l 

i 

0 

1 

0/0 1 
i 

3 

i 

20 / 20 >37 

l 

MB-02 

0/0 i 
I 

0 

i 

16/16 i 
l 

7 

1 

15/16 i 
i 

1 

i 

0/0 i 
1 

0 

i 

0/0 i 

1 

5 

l 

31/32 i 13 

l 

MB-03 

0/0 ! 

1 

0 

16/16 , 
I 

3 

0/0 | 
1 

0 

0/0 1 
1 

0 

0/0 

1 

0 

16/16 , 3 

l 

MB-04 

1 

9/9 | 

4 

17/19 | 

1 

12 

15/15 | 
1 

4 

1/4 ! 

I 

8 

0/0 | 
1 

1 

42 / 47 ] 29 

l 

MB-05 

1 

12/14 j 

4 

1 

17/25 | 

8 

1 

0/0 | 

0 

1 

0/0 J 

0 

0/0 [ 

1 

1 

29/39 [ 13 
1 

MB-06 

l 

23/24 1 

l 

3 

l 

17/20 1 

l 

4 

i 

9/11 1 

i 

2 

i 

0/0 1 
1 

1- 

1 

1 

0/0 1 
1 

4 

1 

50/56 1 14 
1 


h 

44 / 47 1 

11 

t 

94/ 107 1 

63 

• — ■ r 

48/51 1 

12 

r 

1/4 1 

9 

1 

0/0 1 

14 

188/ 210 '109 


MB = Manned Base (MB -01 = Manned Base Assembly Flight #1) 
WP = Work Package (WP-01 = Work Package #1) 

CSA = Canadian Space Agency 
HRs = Hazard Reports 
AIs = Action Items assigned 

NOTE: Figures do not include HRs deleted, withdrawn, or combined 


Figure 4. 

13 



MASTER MATRIX 


HR No, Hazard Description MB-01 MB-02 MB 03 MB-04 

7512 CREW INDUCED HARDWARE DAMAGE DURING *, ,* 0 / ,0 *t r* *t r* 

ASSEMBLY OPERATIONS 

7513 SHARP EDGES, CORNERS, PROTRUSIONS; EVA F, ,P , $ , , r r 

INJURY DURING MB-01 ASSEMBLY OPERATIONS 

7518 PREMATURE DEPLOYMENT OF APPENDAGES F, ,P , , / r f r 

DURING MB-01 ASSEMBLY OPERATIONS 

7521 FAILURE OF MB-01 CARGO ELEMENT , ,F , t r f r r 

ATTACHMENTS 

7525 EPS HIGH TRANSIENT CURRENT SURGES DURING , , F, , , , r * 

START-UP 

7540 NI-H2 BATTERIES STRUCTURAL FAILURE , , 0/ t *r * * t r 


Legend : 

F — Flight-specific Hazard report presented to the FSRP 

G = Flight-specific Hazard report presented to the GSRP 

P = Flight-specific Hazard report presented to the PSRP 

* = Generic Hazard Report applicable to one or more flights 

8 = Generic Hazard Report presented at a safety review 
, , = Three columns: 1st column denotes applicability to FSRP 
“ 2nd column denotes applicability to GSRP 

3rd column denotes applicability to PSRP 


Figure 5. 


14 



Example Hazard Tree 


SSF Loss/Damage 

1 j 


Structural 

7512: Crew induced h/w damage 
7540: Battery leak/rupture 
7547: Structural Failure of SPM 
7616: Unsafe berthing; stuck mast 


Loss of Power to 
Critical Functions 



Nat'l /Induced Environment Hardware Failures EPS function loss 


7501: Atomic Oxygen 

7516: TCS pump failure 

7524: 

7502: Ionizing Radiation 

7621: Passively cooled DDCUs 

7631: 

7503: Meteoroid/Orbital Debris 


7632: 

7522: EMI to and from EPS 


7634: 

7548: Corrosion/Contamination 


7637: 



7641: 



7643: 


EPS fault currents 
Battery charging failure 
Loss of EPS channel 
EPS stability 
Post-startup transients 
Loss of EPS data 
Voltage reg. malfunction 


Figure 6. 


15 



REPORT DOCUMENTATION PAGE 


Form Approved 
OMB No. 0704-0188 


Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, 
gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this 
collection of information, including suggestions for reducing this burden, to Washington Headquarters Services. Directorate for Information Operations and Reports, 12 15 Jefferson 
Davis Highway Suite 1204, Arlington. VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0108), Washington, DC 20503. 


1. AGENCY USE ONLY (Leave blank) 


4. TFTLE AND SUBTITLE 


2. REPORT DATE 


July 1993 


3. REPORT TYPE AND DATES COVERED 

Technical Memorandum 


5. FUNDING NUMBERS 


Achievements and Challenges of Space Station Freedom’s Safety Review Process 


6. AUTHOR(S) 


WU-474-17-10 


David W. Robinson 


7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 

National Aeronautics and Space Administration 
Lewis Research Center 
Cleveland, Ohio 44135-3191 


8. PERFORMING ORGANIZATION 
REPORT NUMBER 


E-7959 


9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 

National Aeronautics and Space Administration 
Washington, D.C. 20546-0001 


10. SPONSORING/MONITORING 
AGENCY REPORT NUMBER 


NASA TM- 106199 


11. SUPPLEMENTARY NOTES 

11th International System Safety Conference, sponsored by the System Safety Society, Cincinnati, Ohio, 
July 28-August 2, 1993. Responsible person, David W. Robinson, (216) 433-2553. 


12a. DISTRIBUTION/AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE 

Unclassified - Unlimited 
Subject Category 15 


13. ABSTRACT (Maximum 200 words) 

The most complex space vehicle in history, Space Station Freedom, is well underway to completion, and System Safety 
is a vital part of the program. The purpose of this paper is to summarize and illustrate the progress that over one-hundred 
System Safety engineers have made in identifying, documenting, and controlling the hazards inherent in the space station. 
To date, Space Station Freedom has been reviewed by NASA’s safety panels through the first six assembly flights, when 
Freedom achieves a configuration known as Man Tended Capability. During the eight weeks of safety reviews spread out 
over a year and a half, over 200 preliminary hazard reports were presented. Along the way NASA and its contractors 
faced many challenges, made much progress, and even learned a few lessons. 


14. SUBJECT TERMS 


Safety; Space station; Freedom safety review panel 


17. SECURITY CLASSIFICATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 
OF REPORT OF THIS PAGE OF ABSTRACT 

Unclassified Unclassified Unclassified 

NSN 7540-01-280-5500 


IS. NUMBER OF PAGES 

16 


16. PRICE CODE 

A03 


I 20. LIMITATION OF ABSTRACT 


Standard Form 298 (Rev. 2-89) 
Prescribed by ANSI Std. Z39-1B 
298-102 














